From 8951da2aef20f196bfb48617c6b0ced8dd50b043 Mon Sep 17 00:00:00 2001 From: Daniel Ahlberg Date: Thu, 18 Sep 2003 14:46:38 +0000 Subject: Various fixes and patches --- net-misc/openssh/Manifest | 9 +- net-misc/openssh/files/digest-openssh-3.7.1_p1-r1 | 3 + .../files/openssh-3.7.1_p1-connect-timeout.patch | 28 ++++ .../files/openssh-3.7.1_p1-double-free.patch | 24 ++++ .../files/openssh-3.7.1_p1-memory-bugs.patch | 109 ++++++++++++++++ .../files/openssh-3.7.1_p1-memory-leak.patch | 24 ++++ net-misc/openssh/openssh-3.7.1_p1-r1.ebuild | 143 +++++++++++++++++++++ 7 files changed, 338 insertions(+), 2 deletions(-) create mode 100644 net-misc/openssh/files/digest-openssh-3.7.1_p1-r1 create mode 100644 net-misc/openssh/files/openssh-3.7.1_p1-connect-timeout.patch create mode 100644 net-misc/openssh/files/openssh-3.7.1_p1-double-free.patch create mode 100644 net-misc/openssh/files/openssh-3.7.1_p1-memory-bugs.patch create mode 100644 net-misc/openssh/files/openssh-3.7.1_p1-memory-leak.patch create mode 100644 net-misc/openssh/openssh-3.7.1_p1-r1.ebuild (limited to 'net-misc/openssh') diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest index 71f5974ae2b1..aa6c7efb34ce 100644 --- a/net-misc/openssh/Manifest +++ b/net-misc/openssh/Manifest @@ -1,11 +1,12 @@ -MD5 48dad40ebd4f72aec976e35db43a69fa ChangeLog 7693 +MD5 70c2d35365d4f3d65f60e3fd6cc98c80 ChangeLog 7887 MD5 bf8c9e2ff963deb77f7dd8adf7ad2037 openssh-3.5_p1-r1.ebuild 3932 MD5 3c2bbd03a745c1e0b2a5e4a6e600b030 openssh-3.6.1_p2-r1.ebuild 4148 MD5 a50daec66d75cc8248da65d91269b359 openssh-3.6.1_p2.ebuild 3948 MD5 564d864226cf89ea6396748305042fd9 openssh-3.6.1_p2-r2.ebuild 4204 MD5 9da5e02603f79633fe36e2337d4ae626 openssh-3.6.1_p2-r3.ebuild 4488 MD5 b95ca58a06be4f68640911f9e64a8c95 openssh-3.7_p1.ebuild 4479 -MD5 fa152b8b69b99788d49b156f1c6efc68 openssh-3.7.1_p1-r1.ebuild 4083 +MD5 50373292e185c35f7a254ede2a90adda openssh-3.7.1_p1.ebuild 4634 +MD5 e7569bf0bb9f8a188e6c7edf9a2b32bc openssh-3.7.1_p1-r1.ebuild 4248 MD5 f2472f97f00f203eee538d04a25acac5 files/digest-openssh-3.5_p1-r1 136 MD5 3d26d49ccd595bca906f540f5d8b8c31 files/digest-openssh-3.6.1_p2 139 MD5 3d5afb85b45dafdd05258d53f19a0b61 files/digest-openssh-3.6.1_p2-r1 213 @@ -17,3 +18,7 @@ MD5 3d5afb85b45dafdd05258d53f19a0b61 files/digest-openssh-3.6.1_p2-r3 213 MD5 2509087626bbaf1ad026899718167722 files/digest-openssh-3.7_p1 137 MD5 1830b9ef3eadf20461658be064566841 files/digest-openssh-3.7.1_p1 214 MD5 1830b9ef3eadf20461658be064566841 files/digest-openssh-3.7.1_p1-r1 214 +MD5 af754a7a6d850621f44547c47f0a60e8 files/openssh-3.7.1_p1-memory-bugs.patch 3497 +MD5 9cf685ee972138d53ead48ab93b89229 files/openssh-3.7.1_p1-memory-leak.patch 818 +MD5 32f5b511a168f9fb7def64603643a582 files/openssh-3.7.1_p1-connect-timeout.patch 836 +MD5 fcdec1634d390aed62b8a6a7e90c4b09 files/openssh-3.7.1_p1-double-free.patch 677 diff --git a/net-misc/openssh/files/digest-openssh-3.7.1_p1-r1 b/net-misc/openssh/files/digest-openssh-3.7.1_p1-r1 new file mode 100644 index 000000000000..74e5e4611361 --- /dev/null +++ b/net-misc/openssh/files/digest-openssh-3.7.1_p1-r1 @@ -0,0 +1,3 @@ +MD5 f54e574e606c08ef63ebb1ab2f7689dc openssh-3.7.1p1.tar.gz 791161 +MD5 c425e65927b359382bf3618d265d45f1 openssh_3.6p1-5.se1.diff.bz2 54985 +MD5 62a83953c4a7fee0309961099c94d760 openssh-3.7.1p1+x509g2.diff.gz 125275 diff --git a/net-misc/openssh/files/openssh-3.7.1_p1-connect-timeout.patch b/net-misc/openssh/files/openssh-3.7.1_p1-connect-timeout.patch new file mode 100644 index 000000000000..1d62b5754524 --- /dev/null +++ b/net-misc/openssh/files/openssh-3.7.1_p1-connect-timeout.patch @@ -0,0 +1,28 @@ +=================================================================== +RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/sshconnect.c,v +retrieving revision 1.147 +retrieving revision 1.148 +diff -u -r1.147 -r1.148 +--- src/usr.bin/ssh/sshconnect.c 2003/06/29 12:44:38 1.147 ++++ src/usr.bin/ssh/sshconnect.c 2003/09/18 07:52:54 1.148 +@@ -13,7 +13,7 @@ + */ + + #include "includes.h" +-RCSID("$OpenBSD: sshconnect.c,v 1.147 2003/06/29 12:44:38 markus Exp $"); ++RCSID("$OpenBSD: sshconnect.c,v 1.148 2003/09/18 07:52:54 markus Exp $"); + + #include + +@@ -267,9 +267,10 @@ + optval = 0; + optlen = sizeof(optval); + if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval, +- &optlen) == -1) ++ &optlen) == -1) { + debug("getsockopt: %s", strerror(errno)); + break; ++ } + if (optval != 0) { + errno = optval; + break; diff --git a/net-misc/openssh/files/openssh-3.7.1_p1-double-free.patch b/net-misc/openssh/files/openssh-3.7.1_p1-double-free.patch new file mode 100644 index 000000000000..f712f2a45224 --- /dev/null +++ b/net-misc/openssh/files/openssh-3.7.1_p1-double-free.patch @@ -0,0 +1,24 @@ +=================================================================== +RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/buffer.c,v +retrieving revision 1.18 +retrieving revision 1.19 +diff -u -r1.18 -r1.19 +--- src/usr.bin/ssh/buffer.c 2003/09/16 21:02:39 1.18 ++++ src/usr.bin/ssh/buffer.c 2003/09/18 07:54:48 1.19 +@@ -12,7 +12,7 @@ + */ + + #include "includes.h" +-RCSID("$OpenBSD: buffer.c,v 1.18 2003/09/16 21:02:39 markus Exp $"); ++RCSID("$OpenBSD: buffer.c,v 1.19 2003/09/18 07:54:48 markus Exp $"); + + #include "xmalloc.h" + #include "buffer.h" +@@ -39,6 +39,7 @@ + { + if (buffer->alloc > 0) { + memset(buffer->buf, 0, buffer->alloc); ++ buffer->alloc = 0; + xfree(buffer->buf); + } + } diff --git a/net-misc/openssh/files/openssh-3.7.1_p1-memory-bugs.patch b/net-misc/openssh/files/openssh-3.7.1_p1-memory-bugs.patch new file mode 100644 index 000000000000..34004df82bba --- /dev/null +++ b/net-misc/openssh/files/openssh-3.7.1_p1-memory-bugs.patch @@ -0,0 +1,109 @@ +=================================================================== +RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/deattack.c,v +retrieving revision 1.18 +retrieving revision 1.19 +diff -u -r1.18 -r1.19 +--- src/usr.bin/ssh/deattack.c 2002/03/04 17:27:39 1.18 ++++ src/usr.bin/ssh/deattack.c 2003/09/18 08:49:45 1.19 +@@ -100,12 +100,12 @@ + + if (h == NULL) { + debug("Installing crc compensation attack detector."); ++ h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE); + n = l; +- h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE); + } else { + if (l > n) { ++ h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE); + n = l; +- h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE); + } + } + +=================================================================== +RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/session.c,v +retrieving revision 1.163 +retrieving revision 1.164 +diff -u -r1.163 -r1.164 +--- src/usr.bin/ssh/session.c 2003/08/31 13:29:05 1.163 ++++ src/usr.bin/ssh/session.c 2003/09/18 08:49:45 1.164 +@@ -695,8 +695,9 @@ + child_set_env(char ***envp, u_int *envsizep, const char *name, + const char *value) + { +- u_int i, namelen; + char **env; ++ u_int envsize; ++ u_int i, namelen; + + /* + * Find the slot where the value should be stored. If the variable +@@ -713,12 +714,13 @@ + xfree(env[i]); + } else { + /* New variable. Expand if necessary. */ +- if (i >= (*envsizep) - 1) { +- if (*envsizep >= 1000) +- fatal("child_set_env: too many env vars," +- " skipping: %.100s", name); +- (*envsizep) += 50; +- env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *)); ++ envsize = *envsizep; ++ if (i >= envsize - 1) { ++ if (envsize >= 1000) ++ fatal("child_set_env: too many env vars"); ++ envsize += 50; ++ env = (*envp) = xrealloc(env, envsize * sizeof(char *)); ++ *envsizep = envsize; + } + /* Need to set the NULL pointer at end of array beyond the new slot. */ + env[i + 1] = NULL; +=================================================================== +RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/ssh-agent.c,v +retrieving revision 1.111 +retrieving revision 1.112 +diff -u -r1.111 -r1.112 +--- src/usr.bin/ssh/ssh-agent.c 2003/06/12 19:12:03 1.111 ++++ src/usr.bin/ssh/ssh-agent.c 2003/09/18 08:49:45 1.112 +@@ -780,7 +780,7 @@ + static void + new_socket(sock_type type, int fd) + { +- u_int i, old_alloc; ++ u_int i, old_alloc, new_alloc; + + if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) + error("fcntl O_NONBLOCK: %s", strerror(errno)); +@@ -791,25 +791,26 @@ + for (i = 0; i < sockets_alloc; i++) + if (sockets[i].type == AUTH_UNUSED) { + sockets[i].fd = fd; +- sockets[i].type = type; + buffer_init(&sockets[i].input); + buffer_init(&sockets[i].output); + buffer_init(&sockets[i].request); ++ sockets[i].type = type; + return; + } + old_alloc = sockets_alloc; +- sockets_alloc += 10; ++ new_alloc = sockets_alloc + 10; + if (sockets) +- sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0])); ++ sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0])); + else +- sockets = xmalloc(sockets_alloc * sizeof(sockets[0])); +- for (i = old_alloc; i < sockets_alloc; i++) ++ sockets = xmalloc(new_alloc * sizeof(sockets[0])); ++ for (i = old_alloc; i < new_alloc; i++) + sockets[i].type = AUTH_UNUSED; +- sockets[old_alloc].type = type; ++ sockets_alloc = new_alloc; + sockets[old_alloc].fd = fd; + buffer_init(&sockets[old_alloc].input); + buffer_init(&sockets[old_alloc].output); + buffer_init(&sockets[old_alloc].request); ++ sockets[old_alloc].type = type; + } + + static int diff --git a/net-misc/openssh/files/openssh-3.7.1_p1-memory-leak.patch b/net-misc/openssh/files/openssh-3.7.1_p1-memory-leak.patch new file mode 100644 index 000000000000..62695d6deff3 --- /dev/null +++ b/net-misc/openssh/files/openssh-3.7.1_p1-memory-leak.patch @@ -0,0 +1,24 @@ +=================================================================== +RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/authfile.c,v +retrieving revision 1.54 +retrieving revision 1.55 +diff -u -r1.54 -r1.55 +--- src/usr.bin/ssh/authfile.c 2003/05/24 09:30:39 1.54 ++++ src/usr.bin/ssh/authfile.c 2003/09/18 07:56:05 1.55 +@@ -36,7 +36,7 @@ + */ + + #include "includes.h" +-RCSID("$OpenBSD: authfile.c,v 1.54 2003/05/24 09:30:39 djm Exp $"); ++RCSID("$OpenBSD: authfile.c,v 1.55 2003/09/18 07:56:05 markus Exp $"); + + #include + #include +@@ -143,6 +143,7 @@ + fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0600); + if (fd < 0) { + error("open %s failed: %s.", filename, strerror(errno)); ++ buffer_free(&encrypted); + return 0; + } + if (write(fd, buffer_ptr(&encrypted), buffer_len(&encrypted)) != diff --git a/net-misc/openssh/openssh-3.7.1_p1-r1.ebuild b/net-misc/openssh/openssh-3.7.1_p1-r1.ebuild new file mode 100644 index 000000000000..7868716bfff4 --- /dev/null +++ b/net-misc/openssh/openssh-3.7.1_p1-r1.ebuild @@ -0,0 +1,143 @@ +# Copyright 1999-2003 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-3.7.1_p1-r1.ebuild,v 1.1 2003/09/18 14:46:33 aliz Exp $ + +inherit eutils flag-o-matic ccc +[ `use kerberos` ] && append-flags -I/usr/include/gssapi + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_/} + +X509_PATCH=${PARCH}+x509g2.diff.gz + +S=${WORKDIR}/${PARCH} +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="http://www.openssh.com/" +IUSE="ipv6 static pam tcpd kerberos skey selinux X509" +SRC_URI="ftp://ftp.openbsd.org/pub/unix/OpenBSD/OpenSSH/portable/${PARCH}.tar.gz + selinux? ( http://lostlogicx.com/gentoo/openssh_3.6p1-5.se1.diff.bz2 ) + X509? ( http://roumenpetrov.info/openssh/x509g2/${X509_PATCH} )" + +# openssh recognizes when openssl has been slightly upgraded and refuses to run. +# This new rev will use the new openssl. +RDEPEND="virtual/glibc + pam? ( >=sys-libs/pam-0.73 + >=sys-apps/shadow-4.0.2-r2 ) + kerberos? ( app-crypt/mit-krb5 ) + selinux? ( sys-apps/selinux-small ) + skey? ( app-admin/skey ) + >=dev-libs/openssl-0.9.6d + sys-libs/zlib + >=sys-apps/sed-4" + +DEPEND="${RDEPEND} + dev-lang/perl + sys-apps/groff + tcpd? ( >=sys-apps/tcp-wrappers-7.6 )" + +SLOT="0" +LICENSE="as-is" +KEYWORDS="~x86 ~ppc ~sparc ~alpha ~mips ~hppa ~arm ~amd64 ~ia64" + +src_unpack() { + unpack ${PARCH}.tar.gz ; cd ${S} + + epatch ${FILESDIR}/${P}-connect-timeout.patch + epatch ${FILESDIR}/${P}-double-free.patch + epatch ${FILESDIR}/${P}-memory-leak.patch + epatch ${FILESDIR}/${P}-memory-bugs.patch + + use selinux && epatch ${DISTDIR}/openssh_3.6p1-5.se1.diff.bz2 + use alpha && epatch ${FILESDIR}/${PN}-3.5_p1-gentoo-sshd-gcc3.patch + use X509 && epatch ${DISTDIR}/${X509_PATCH} + + use skey && { + # prevent the conftest from violating the sandbox + sed -i 's#skey_keyinfo("")#"true"#g' configure + } +} + +src_compile() { + local myconf + + myconf="\ + $( use_with tcpd tcp-wrappers ) \ + $( use_with kerberos kerberos5 ) \ + $( use_with pam ) \ + $( use_with skey )" + + use ipv6 || myconf="${myconf} --with-ipv4-default" + + use skey && { + # make sure .sbss is large enough + use alpha && append-ldflags -mlarge-data + } + + use selinux && append-flags "-DWITH_SELINUX" + + ./configure \ + --prefix=/usr \ + --sysconfdir=/etc/ssh \ + --mandir=/usr/share/man \ + --libexecdir=/usr/lib/misc \ + --datadir=/usr/share/openssh \ + --disable-suid-ssh \ + --with-privsep-path=/var/empty \ + --with-privsep-user=sshd \ + --with-md5-passwords \ + --host=${CHOST} ${myconf} || die "bad configure" + + use static && { + # statically link to libcrypto -- good for the boot cd + sed -i "s:-lcrypto:/usr/lib/libcrypto.a:g" Makefile + } + + use selinux && { + #add -lsecure + sed -i "s:LIBS=\(.*\):LIBS=\1 -lsecure:" Makefile + } + + emake || die "compile problem" +} + +src_install() { + make install-files DESTDIR=${D} || die + chmod 600 ${D}/etc/ssh/sshd_config + dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config + insinto /etc/pam.d ; newins ${FILESDIR}/sshd.pam sshd + exeinto /etc/init.d ; newexe ${FILESDIR}/sshd.rc6 sshd + keepdir /var/empty/.keep +} + +pkg_preinst() { + userdel sshd 2> /dev/null + if ! groupmod sshd; then + groupadd -g 90 sshd 2> /dev/null || \ + die "Failed to create sshd group" + fi + useradd -u 22 -g sshd -s /dev/null -d /var/empty -c "sshd" sshd || \ + die "Failed to create sshd user" +} + +pkg_postinst() { + # empty dir for the new priv separation auth chroot.. + install -d -m0755 -o root -g root ${ROOT}/var/empty + + ewarn "Remember to merge your config files in /etc/ssh/ and then" + ewarn "restart sshd: '/etc/init.d/sshd restart'." + ewarn + einfo "As of version 3.4 the default is to enable the UsePrivelegeSeparation" + einfo "functionality, but please ensure that you do not explicitly disable" + einfo "this in your configuration as disabling it opens security holes" + einfo + einfo "This revision has removed your sshd user id and replaced it with a" + einfo "new one with UID 22. If you have any scripts or programs that" + einfo "that referenced the old UID directly, you will need to update them." + einfo + use pam >/dev/null 2>&1 && { + einfo "Please be aware users need a valid shell in /etc/passwd" + einfo "in order to be allowed to login." + einfo + } +} -- cgit v1.2.3-65-gdbad